CVE-2025-0890 – This vulnerability involves insecure default cr... (How to Fix)

Q: What is the severity of CVE-2025-0890?

CVE-2025-0890 has a CVSS score of 9.8 (CRITICAL). This vulnerability involves insecure default credentials for the Telnet function in Zyxel VMG4325-B10A DSL CPE devices. Attackers can log into the management interface if administrators fail to change default credentials after deployment. This affects users of legacy Zyxel DSL CPE devices with vulnerable firmware.

📋 TL;DR

This vulnerability involves insecure default credentials for the Telnet function in Zyxel VMG4325-B10A DSL CPE devices. Attackers can log into the management interface if administrators fail to change default credentials after deployment. This affects users of legacy Zyxel DSL CPE devices with vulnerable firmware.

💻 Affected Systems

Products:

Zyxel VMG4325-B10A DSL CPE

Versions: Firmware version 1.00(AAFR.4)C0_20170615

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects legacy devices with this specific firmware. Vulnerability exists when Telnet is enabled and default credentials remain unchanged.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to reconfigure network settings, intercept traffic, install malware, or use device as pivot point into internal network.

🟠

Likely Case

Unauthorized access to management interface leading to network configuration changes, service disruption, or credential harvesting.

🟢

If Mitigated

No impact if default credentials were changed during initial setup or if Telnet access is disabled.

🌐 Internet-Facing: HIGH - Devices with Telnet exposed to internet are directly vulnerable to credential guessing attacks.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if Telnet is enabled on internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only Telnet access and knowledge of default credentials. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

Restart Required: No

Instructions:

No firmware patch available. Follow vendor advisory recommendations: 1. Change default credentials immediately. 2. Disable Telnet if not needed. 3. Consider replacing legacy devices.

🔧 Temporary Workarounds

Change Default Credentials

all

Immediately change default Telnet credentials to strong, unique passwords

Login to device management interface via web or console
Navigate to Administration > User Accounts
Change default admin password to complex password

Disable Telnet Service

all

Disable Telnet access if not required for operations

Login to device management interface
Navigate to Management > Access Control
Disable Telnet service
Enable SSH instead if remote access needed

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable devices from critical systems
Deploy network access controls to restrict Telnet traffic to authorized management stations only

🔍 How to Verify

Check if Vulnerable:

Attempt Telnet connection to device on port 23 using default credentials. If login succeeds, device is vulnerable.

Check Version:

Check firmware version in web interface under Maintenance > System Info or via console command 'show version'

Verify Fix Applied:

Attempt Telnet login with default credentials - should fail. Verify new credentials work and old ones don't.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful login
Multiple Telnet connection attempts from single source
Configuration changes from unexpected sources

Network Indicators:

Telnet traffic to device management interface
Brute force patterns on port 23
Unexpected outbound connections from device

SIEM Query:

source_port=23 AND (event_type="authentication_success" OR event_type="configuration_change")

📊 Metadata

CVE ID: CVE-2025-0890

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 1.24% exploit probability (78.9th percentile)

Published: February 4, 2025

Last Updated: December 15, 2025

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0890, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Sbg3300 N000 Firmware by Zyxel

Sbg3300 Nb00 Firmware by Zyxel

Sbg3500 N000 Firmware by Zyxel

Sbg3500 Nb00 Firmware by Zyxel

Vmg1312 B10a Firmware by Zyxel

Vmg1312 B10b Firmware by Zyxel

Vmg1312 B10e Firmware by Zyxel

Vmg3312 B10a Firmware by Zyxel

Vmg3313 B10a Firmware by Zyxel

Vmg3926 B10b Firmware by Zyxel

Vmg4325 B10a Firmware by Zyxel